As described in Daniel Quinlan’s previous post, the Sky ATP pipeline includes static analysis, dynamic analysis, as well as methods that are a hybrid of both techniques. The static analysis engine parses each file and examines its structure and contents. The dynamic analysis engine opens or executes a file in a controlled environment and monitors every aspect of the resulting behavior. These processes produce thousands of data points for each sample, including overt indicators such as:
File anomalies: corrupted sections, unusual structure, encrypted or obfuscated sections.
Evasive behavior: attempts to detect analysis or debugging, subterfuge, long delays, etc.
Malicious behavior: access, modification, or deletion of files or changes to system settings
Network traffic: communication with known or suspected command-and-control servers, unusual traffic patterns, ports, etc.
Beyond the overt indicators, the analysis pipeline extracts many more features that – taken individually – do not indicate that a file is benign or malicious, but which are used in conjunction with machine learning to distinguish safe files from malicious ones.
Infection through Visual Basic macros
Infection by Locky and similar ransomware usually1 starts with a document – often Microsoft Word or Excel – that tricks the user into enabling dangerous macros. In the following screenshot, a “Protected Document” instructs the user to enable macros.
A different variant mimics the Office warning user-interface, complete with loading icon (though not animated). Note that the “SOMETHING WENT WRONG” bar is part of the document itself:
Sky ATP uses both static analysis and dynamic analysis (sandboxing) classify potential threats. By detecting features such as dangerous Visual Basic macros or suspicious network activity, Sky ATP can identify a document as being malicious to prevent infection. Here is a look at the Sky ATP user interface displaying the summary of a malware-delivering Microsoft Office file:
Recent variants of Locky have become more resistant to automated detection by randomizing registry keys and filenames. However, the attack remains similar: the malware communicates with a command-and-control server to register the victim’s machine and get an encryption key, encrypts the user’s files, and then displays a ransom message. Here we see the unencrypted images in the user’s home directory:
After the ransomware executes, all of the files are replaced by encrypted versions with the .locky extension along with a ransom message:
Sky ATP takes thousands of data points from static analysis, dynamic analysis, and network-related intelligence and then applies machine learning algorithms to render a verdict on potentially dangerous files. For example, Sky ATP can detect the ransom messages left by Locky:
Other potential indicators of compromise used in the verdict include communication with known or suspicious servers, indications of obfuscation or sandbox evasion, and other anomalies. Here, we see the Sky ATP summary of a Locky sample:
Mischa is a new variant of the Petya ransomware. This particular sample encrypts the user’s files and adds a randomly generated extension (in this case, .1RoZ ):
Unlike Locky, Petya/Mischa not only encrypts files, but also tries to install itself to the Master Boot Record. (Update: as hasherezade notes at MalwareBytes, this sample has two distinct payloads, depending on whether the user allows elevated privileges.)When the computer reboots, the victim is greeted with this retro animation:
The ransom image follows:
In addition to the standard static and dynamic malware indicators, Sky ATP uses the fact that the executable disguises itself as a PDF file as an indicator of maliciousness.
Sky ATP flags Mischa as a high-level threat.
Like Locky, the TeslaCrypt ransomware encrypts a user’s files and demands a Bitcoin payment in exchange for the decryption key. Some of the features we used in Sky ATP to detect this recent sample include its keyboard and mouse hooking, persistence behavior, code obfuscation, and the use of dynamic DNS domains for communication.
The latest 7ev3n variant encrypts the user’s files then forces a reboot.
After the reboot, a ransom message is displayed, including a warning that the ransomware operators “reserve the right to publicly publish all encrypted files”.
Sky ATP detects in this sample a number of behaviors related to persistence, obfuscation, evasion, and system modification, leading to a verdict of “High threat level.”
This jigsaw sample initially pops up a fake error message with a pornographic icon. Moments later, an X-rated ransom message is displayed.
Sky ATP detects mass file deletion, changes to browser settings, and anomalies in the Portable Executable (PE) file.
Conclusion: Hashes and Heuristics
Ransomware is evolving so rapidly that it’s difficult to even keep track of the families and variants currently attacking computers in the wild. With thousands of new binaries appearing daily, traditional signature-based anti-virus products are of little use. Heuristics and fuzzy matches do not fare much better: entire new families of malware emerge weekly, and the existing families mutate frequently, discarding known behavior to evade signature and heuristic-based detection.
Sky ATP goes beyond signatures and heuristics to provide an integrated solution with machine learning at every stage. Thousands of features from static, dynamic and hybrid analysis are extracted from a large, continually-updated collection of samples – both malicious and benign – to construct a machine learning classifier that identifies and blocks previously unseen malware types.
In the next post, we’ll take a deeper look at the latest incarnation of the Petya/Mischa ransomware.